Commenters Weigh In on Clinton's Email PracticesInterview Creates Lively Debate on Security vs. Convenience
Those commenting on my recent interview with Purdue University Computer Science Professor Eugene Spafford about Hillary Clinton's email server controversy are divided over whether users will devise ways to circumvent systems safeguards to do their jobs more effectively.
"Where security policy isn't in sync with the way people work, policy workarounds and 'exceptions' become the rule," Scott Petry, CEO and co-founder of Authentic8, a provider of secure browsing, writes in the podcast's comments section.
"Humans have such a high, innate risk tolerance that we will take all sorts of risks for the sake of expediency and achievement."
But a commenter identified as DJL - David J. Lineman, president of information security and data privacy products and services provider Information Shield - writes that convenience "is an extremely weak justification for a major violation of security policy. You can be sure that if the CSO of a Fortune 100 company had a personal server in her basement that stored trade secrets, and there was a known breach, she would be terminated."
Clinton, the presumptive Democratic Party nominee for president, used private email servers while serving as secretary of state. An FBI investigation found that Clinton, despite her denial, knowingly used the private servers to transmit a few messages marked classified. But the Justice Department declined to prosecute, which dismayed many of her political critics.
Spafford, in the interview, lamented that the debate surrounding the use of private email servers concentrated on politics and failed to focus on why such things happen. "I think this is more politically driven than it's functionally driven because if it were functionally driven, people would say, 'What are the root causes, and how do we fix them?' rather than trying to assign blame."
Taking Risks for Expedience Sake
A commenter identified as Jennifer WhoDat Farwell, agrees, writing that it's irrelevant whether Clinton felt what she did was right or wrong. "Humans have such a high, innate risk tolerance that we will take all sorts of risks for the sake of expediency and achievement," Farwell writes. "That is how we got to the top of the food chain. Instead of debating whether she made a typical human error (which she did), let's have a productive conversation about using technology to help humans be more productive without engaging in risky behaviors we are not programmed to avoid."
Spafford contends that security professionals should do more to create secure systems that can help individuals perform their jobs efficiently. It's a point picked up by Wendy M. Grossman, a journalist who previously blogged about this matter. "HRC had requested a secure Blackberry and been refused," Grossman writes in response to my interview. "I know security is important, but it's incredible to me that the security people apparently thought their ideas about technology should take precedence over what the U.S. secretary of state was telling them about her working needs. Collaboration with people who need to do their jobs needs to be a top priority in doing good security."
"Baloney," responds another commenter using the handle voice-of-experience. "Convenience nor ignorance had nothing to do with why this private server was setup. HRC did not want her emails to be discovered as they would expose her corrupt activities."
Commenter Ms NoWay Jose contends "we are heading down a slippery slope of failures" if we allow convenience to trump security. "Security is security; it's not like hundreds of millions of identities haven't been stolen worldwide. It's not like we don't have to worry about intelligence leaking because both of these are happening far too much from incompetence and security ignorance. Sorry, but the security of our national intelligence is far more important than the convenience of someone who doesn't want to follow the laws. If you can't handle the job, then get out."
State Department Inaction
One question that seems unanswered is why the higher-ups responsible for State Department IT security didn't put a stop to Clinton's use of private email servers if they posed a security risk. "Didn't her private email server have a different domain suffix than the usual State Department ones?" asks Patrice Boivin, CEO of Orion Software, a provider of software to the rental industry. "Why in the world didn't anyone notice this or do something about it is my question. Bureaucracies are full of organizational chart boxes where the people in the boxes are either incompetent, running amok, or not allowed to make the decisions that go with their job descriptions. Someone must have noticed; question is, why wasn't this nipped in the bud?"
Commenting on the blog's premise focusing on developing secure systems that also facilitate the work habits of users, Jay Wack writes: "The situation is all the more frustrating because there are solutions and standards available that satisfy all concerned from an ease of use perspective and from the security perspective. ANSI, a national peer review process, has published several standards directly applicable. X9.69 and X9.73 specifically. Designed for secure information sharing. A problem for all of us."
These are just a sampling of the many comments we received on my Spafford interview. It's not too late for you to join this discussion. Post your comments below.